diff --git a/.gitignore b/.gitignore
index 2c3e956..6e3f15e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1 @@
-SOURCES/htcacheclean.service.xml
SOURCES/httpd-2.4.37.tar.bz2
-SOURCES/httpd.conf.xml
-SOURCES/httpd.service.xml
diff --git a/.httpd.metadata b/.httpd.metadata
index 091ca86..e540f7e 100644
--- a/.httpd.metadata
+++ b/.httpd.metadata
@@ -1,4 +1 @@
-a34c31169efbe6140496c37801489610461bdf9b SOURCES/htcacheclean.service.xml
4a38471de821288b0300148016f2b03dfee8adf2 SOURCES/httpd-2.4.37.tar.bz2
-fa18caadd0afbddc2c7a7fc404bf4f2b41867148 SOURCES/httpd.conf.xml
-888df830bdc465de3bced6f075c33380018e544f SOURCES/httpd.service.xml
diff --git a/SOURCES/htcacheclean.service.xml b/SOURCES/htcacheclean.service.xml
new file mode 100644
index 0000000..01b68e4
--- /dev/null
+++ b/SOURCES/htcacheclean.service.xml
@@ -0,0 +1,123 @@
+
+
+
+
+
+ htcacheclean systemd unit
+ httpd
+ AuthorOrtonJoejorton@redhat.com
+
+
+
+ htcacheclean.service
+ 8
+
+
+
+ htcacheclean.service
+ htcacheclean unit file for systemd
+
+
+
+
+ /usr/lib/systemd/system/htcacheclean.service
+
+
+
+
+ Description
+
+ This manual page describes the systemd
+ unit file for the htcacheclean daemon. This
+ unit file provides a service which runs
+ htcacheclean in daemon mode,
+ periodically cleaning the disk cache root to ensure disk space
+ usage is within configured limits.
+
+
+
+
+ Options
+
+ The service is configured by configuration file
+ /etc/sysconfig/htcacheclean. The following
+ variables are used, following standard systemd
+ EnvironmentFile= syntax:
+
+
+
+ INTERVAL=
+
+ Sets the interval between cache clean runs, in
+ minutes. By default this is configured as
+ 15.
+
+
+
+ CACHE_ROOT=
+
+ Sets the directory name used for the cache
+ root. By default this is configured as
+ /var/cache/httpd/proxy.
+
+
+
+ LIMIT=
+
+ Sets the total disk cache space limit, in
+ bytes. Use a K or M
+ suffix to signify kilobytes or megabytes. By default this is
+ set to 100M.
+
+
+
+ OPTIONS=
+
+ Any other options to pass to
+ htcacheclean.
+
+
+
+
+
+ Files
+
+ /usr/lib/systemd/system/htcacheclean.service,
+ /etc/sysconfig/htcacheclean
+
+
+
+ See also
+
+
+ htcacheclean8,
+ httpd8,
+ httpd.service8,
+ systemd.exec8
+
+
+
+
+
+
diff --git a/SOURCES/httpd-2.4.37-CVE-2019-10092.patch b/SOURCES/httpd-2.4.37-CVE-2019-10092.patch
new file mode 100644
index 0000000..a06d9c2
--- /dev/null
+++ b/SOURCES/httpd-2.4.37-CVE-2019-10092.patch
@@ -0,0 +1,192 @@
+diff --git a/modules/http/http_protocol.c b/modules/http/http_protocol.c
+index e419eb6..dcafa9c 100644
+--- a/modules/http/http_protocol.c
++++ b/modules/http/http_protocol.c
+@@ -1132,13 +1132,10 @@ static const char *get_canned_error_string(int status,
+ "\">here.\n",
+ NULL));
+ case HTTP_USE_PROXY:
+- return(apr_pstrcat(p,
+- "
This resource is only accessible "
+- "through the proxy\n",
+- ap_escape_html(r->pool, location),
+- " \nYou will need to configure "
+- "your client to use that proxy.
\n",
+- NULL));
++ return("
This resource is only accessible "
++ "through the proxy\n"
++ " \nYou will need to configure "
++ "your client to use that proxy.
\n");
+ case HTTP_PROXY_AUTHENTICATION_REQUIRED:
+ case HTTP_UNAUTHORIZED:
+ return("
This server could not verify that you\n"
+@@ -1154,34 +1151,20 @@ static const char *get_canned_error_string(int status,
+ "error-notes",
+ "
\n"));
+ case HTTP_FORBIDDEN:
+- s1 = apr_pstrcat(p,
+- "
You don't have permission to access ",
+- ap_escape_html(r->pool, r->uri),
+- "\non this server. \n",
+- NULL);
+- return(add_optional_notes(r, s1, "error-notes", "
\n"));
++ return(add_optional_notes(r, "
You don't have permission to access this resource.", "error-notes", "
\n"));
+ case HTTP_NOT_FOUND:
+- return(apr_pstrcat(p,
+- "
The requested URL ",
+- ap_escape_html(r->pool, r->uri),
+- " was not found on this server.
\n",
+- NULL));
++ return("
The requested URL was not found on this server.
\n");
+ case HTTP_METHOD_NOT_ALLOWED:
+ return(apr_pstrcat(p,
+ "
The requested method ",
+ ap_escape_html(r->pool, r->method),
+- " is not allowed for the URL ",
+- ap_escape_html(r->pool, r->uri),
+- ".
\n",
++ " is not allowed for this URL.\n",
+ NULL));
+ case HTTP_NOT_ACCEPTABLE:
+- s1 = apr_pstrcat(p,
+- "
An appropriate representation of the "
+- "requested resource ",
+- ap_escape_html(r->pool, r->uri),
+- " could not be found on this server.
The precondition on the request "
+- "for the URL ",
+- ap_escape_html(r->pool, r->uri),
+- " evaluated to false.
\n",
+- NULL));
++ return("
The precondition on the request "
++ "for this URL evaluated to false.
\n");
+ case HTTP_NOT_IMPLEMENTED:
+ s1 = apr_pstrcat(p,
+ "
",
+- ap_escape_html(r->pool, r->method), " to ",
+- ap_escape_html(r->pool, r->uri),
+- " not supported. \n",
++ ap_escape_html(r->pool, r->method), " ",
++ " not supported for current URL. \n",
+ NULL);
+ return(add_optional_notes(r, s1, "error-notes", "
\n"));
+ case HTTP_BAD_GATEWAY:
+@@ -1211,29 +1189,19 @@ static const char *get_canned_error_string(int status,
+ "response from an upstream server. " CRLF;
+ return(add_optional_notes(r, s1, "error-notes", "\n"));
+ case HTTP_VARIANT_ALSO_VARIES:
+- return(apr_pstrcat(p,
+- "
A variant for the requested "
+- "resource\n
\n",
+- ap_escape_html(r->pool, r->uri),
+- "\n
\nis itself a negotiable resource. "
+- "This indicates a configuration error.\n",
+- NULL));
++ return("
A variant for the requested "
++ "resource\n
\n"
++ "\n
\nis itself a negotiable resource. "
++ "This indicates a configuration error.\n");
+ case HTTP_REQUEST_TIME_OUT:
+ return("
Server timeout waiting for the HTTP request from the client.
\n");
+ case HTTP_GONE:
+- return(apr_pstrcat(p,
+- "
The requested resource ",
+- ap_escape_html(r->pool, r->uri),
+- " \nis no longer available on this server "
+- "and there is no forwarding address.\n"
+- "Please remove all references to this "
+- "resource.
\n",
+- NULL));
++ return("
The requested resource is no longer available on this server"
++ " and there is no forwarding address.\n"
++ "Please remove all references to this resource.
\n");
+ case HTTP_REQUEST_ENTITY_TOO_LARGE:
+ return(apr_pstrcat(p,
+- "The requested resource ",
+- ap_escape_html(r->pool, r->uri), " \n",
+- "does not allow request data with ",
++ "The requested resource does not allow request data with ",
+ ap_escape_html(r->pool, r->method),
+ " requests, or the amount of data provided in\n"
+ "the request exceeds the capacity limit.\n",
+@@ -1317,11 +1285,9 @@ static const char *get_canned_error_string(int status,
+ "the Server Name Indication (SNI) in use for this\n"
+ "connection.\n");
+ case HTTP_UNAVAILABLE_FOR_LEGAL_REASONS:
+- s1 = apr_pstrcat(p,
+- "
Access to ", ap_escape_html(r->pool, r->uri),
+- "\nhas been denied for legal reasons. \n",
+- NULL);
+- return(add_optional_notes(r, s1, "error-notes", "
\n"));
++ return(add_optional_notes(r,
++ "
Access to this URL has been denied for legal reasons. \n",
++ "error-notes", "
\n"));
+ default: /* HTTP_INTERNAL_SERVER_ERROR */
+ /*
+ * This comparison to expose error-notes could be modified to
+diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
+index 800ede1..de48735 100644
+--- a/modules/proxy/mod_proxy.c
++++ b/modules/proxy/mod_proxy.c
+@@ -1055,9 +1055,10 @@ static int proxy_handler(request_rec *r)
+ char *end;
+ maxfwd = apr_strtoi64(str, &end, 10);
+ if (maxfwd < 0 || maxfwd == APR_INT64_MAX || *end) {
+- return ap_proxyerror(r, HTTP_BAD_REQUEST,
+- apr_psprintf(r->pool,
+- "Max-Forwards value '%s' could not be parsed", str));
++ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO()
++ "Max-Forwards value '%s' could not be parsed", str);
++ return ap_proxyerror(r, HTTP_BAD_REQUEST,
++ "Max-Forwards request header could not be parsed");
+ }
+ else if (maxfwd == 0) {
+ switch (r->method_number) {
+diff --git a/modules/proxy/mod_proxy_ftp.c b/modules/proxy/mod_proxy_ftp.c
+index 4a10987..8f6f853 100644
+--- a/modules/proxy/mod_proxy_ftp.c
++++ b/modules/proxy/mod_proxy_ftp.c
+@@ -1024,8 +1024,9 @@ static int proxy_ftp_handler(request_rec *r, proxy_worker *worker,
+ /* We break the URL into host, port, path-search */
+ if (r->parsed_uri.hostname == NULL) {
+ if (APR_SUCCESS != apr_uri_parse(p, url, &uri)) {
+- return ap_proxyerror(r, HTTP_BAD_REQUEST,
+- apr_psprintf(p, "URI cannot be parsed: %s", url));
++ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO()
++ "URI cannot be parsed: %s", url);
++ return ap_proxyerror(r, HTTP_BAD_REQUEST, "URI cannot be parsed");
+ }
+ connectname = uri.hostname;
+ connectport = uri.port;
+diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c
+index 6501c68..0bbfa59 100644
+--- a/modules/proxy/proxy_util.c
++++ b/modules/proxy/proxy_util.c
+@@ -368,12 +368,9 @@ PROXY_DECLARE(char *)
+
+ PROXY_DECLARE(int) ap_proxyerror(request_rec *r, int statuscode, const char *message)
+ {
+- const char *uri = ap_escape_html(r->pool, r->uri);
+ apr_table_setn(r->notes, "error-notes",
+ apr_pstrcat(r->pool,
+- "The proxy server could not handle the request ", ap_escape_html(r->pool, r->method), " ", uri,
+- ".
\n"
++ "The proxy server could not handle the request
The SessionExpiryUpdateInterval directive allows
++ sessions to avoid the cost associated with writing the session each request
++ when only the expiry time has changed. This can be used to make a website
++ more efficient or reduce load on a database when using
++ mod_session_dbd. The session is always written if the data
++ stored in the session has changed or the expiry has changed by more than the
++ configured interval.
++
++
Setting the interval to zero disables this directive, and the session
++ expiry is refreshed for each request.
++
++
This directive only has an effect when combined with SessionMaxAge to enable session
++ expiry. Sessions without an expiry are only written when the data stored in
++ the session has changed.
++
++
Warning
++
Because the session expiry may not be refreshed with each request, it's
++ possible for sessions to expire up to interval seconds early.
++ Using a small interval usually provides sufficient savings while having a
++ minimal effect on expiry resolution.
++
+
+
+
+diff --git a/modules/session/mod_session.c b/modules/session/mod_session.c
+index d517020..10e6396 100644
+--- a/modules/session/mod_session.c
++++ b/modules/session/mod_session.c
+@@ -177,6 +177,7 @@ static apr_status_t ap_session_save(request_rec * r, session_rec * z)
+ {
+ if (z) {
+ apr_time_t now = apr_time_now();
++ apr_time_t initialExpiry = z->expiry;
+ int rv = 0;
+
+ session_dir_conf *dconf = ap_get_module_config(r->per_dir_config,
+@@ -207,6 +208,17 @@ static apr_status_t ap_session_save(request_rec * r, session_rec * z)
+ z->expiry = now + z->maxage * APR_USEC_PER_SEC;
+ }
+
++ /* don't save if the only change is the expiry by a small amount */
++ if (!z->dirty && dconf->expiry_update_time
++ && (z->expiry - initialExpiry < dconf->expiry_update_time)) {
++ return APR_SUCCESS;
++ }
++
++ /* also don't save sessions that didn't change at all */
++ if (!z->dirty && !z->maxage) {
++ return APR_SUCCESS;
++ }
++
+ /* encode the session */
+ rv = ap_run_session_encode(r, z);
+ if (OK != rv) {
+@@ -553,6 +565,10 @@ static void *merge_session_dir_config(apr_pool_t * p, void *basev, void *addv)
+ new->env_set = add->env_set || base->env_set;
+ new->includes = apr_array_append(p, base->includes, add->includes);
+ new->excludes = apr_array_append(p, base->excludes, add->excludes);
++ new->expiry_update_time = (add->expiry_update_set == 0)
++ ? base->expiry_update_time
++ : add->expiry_update_time;
++ new->expiry_update_set = add->expiry_update_set || base->expiry_update_set;
+
+ return new;
+ }
+@@ -622,6 +638,21 @@ static const char *add_session_exclude(cmd_parms * cmd, void *dconf, const char
+ return NULL;
+ }
+
++static const char *
++ set_session_expiry_update(cmd_parms * parms, void *dconf, const char *arg)
++{
++ session_dir_conf *conf = dconf;
++
++ conf->expiry_update_time = atoi(arg);
++ if (conf->expiry_update_time < 0) {
++ return "SessionExpiryUpdateInterval must be positive or nul";
++ }
++ conf->expiry_update_time = apr_time_from_sec(conf->expiry_update_time);
++ conf->expiry_update_set = 1;
++
++ return NULL;
++}
++
+
+ static const command_rec session_cmds[] =
+ {
+@@ -637,6 +668,9 @@ static const command_rec session_cmds[] =
+ "URL prefixes to include in the session. Defaults to all URLs"),
+ AP_INIT_TAKE1("SessionExclude", add_session_exclude, NULL, RSRC_CONF|OR_AUTHCFG,
+ "URL prefixes to exclude from the session. Defaults to no URLs"),
++ AP_INIT_TAKE1("SessionExpiryUpdateInterval", set_session_expiry_update, NULL, RSRC_CONF|OR_AUTHCFG,
++ "time interval for which a session's expiry time may change "
++ "without having to be rewritten. Zero to disable"),
+ {NULL}
+ };
+
+diff --git a/modules/session/mod_session.h b/modules/session/mod_session.h
+index a6dd5e9..bdeb532 100644
+--- a/modules/session/mod_session.h
++++ b/modules/session/mod_session.h
+@@ -115,6 +115,9 @@ typedef struct {
+ * URLs included if empty */
+ apr_array_header_t *excludes; /* URL prefixes to be excluded. No
+ * URLs excluded if empty */
++ apr_time_t expiry_update_time; /* seconds the session expiry may change and
++ * not have to be rewritten */
++ int expiry_update_set;
+ } session_dir_conf;
+
+ /**
+diff --git a/modules/session/mod_session_cookie.c b/modules/session/mod_session_cookie.c
+index 6a02322..4aa75e4 100644
+--- a/modules/session/mod_session_cookie.c
++++ b/modules/session/mod_session_cookie.c
+@@ -60,9 +60,6 @@ static apr_status_t session_cookie_save(request_rec * r, session_rec * z)
+ session_cookie_dir_conf *conf = ap_get_module_config(r->per_dir_config,
+ &session_cookie_module);
+
+- /* don't cache auth protected pages */
+- apr_table_addn(r->headers_out, "Cache-Control", "no-cache");
+-
+ /* create RFC2109 compliant cookie */
+ if (conf->name_set) {
+ if (z->encoded && z->encoded[0]) {
+@@ -162,6 +159,9 @@ static apr_status_t session_cookie_load(request_rec * r, session_rec ** z)
+ /* put the session in the notes so we don't have to parse it again */
+ apr_table_setn(m->notes, note, (char *)zz);
+
++ /* don't cache auth protected pages */
++ apr_table_addn(r->headers_out, "Cache-Control", "no-cache, private");
++
+ return OK;
+
+ }
+diff --git a/modules/session/mod_session_dbd.c b/modules/session/mod_session_dbd.c
+index 0be7306..f683da2 100644
+--- a/modules/session/mod_session_dbd.c
++++ b/modules/session/mod_session_dbd.c
+@@ -245,6 +245,9 @@ static apr_status_t session_dbd_load(request_rec * r, session_rec ** z)
+ /* put the session in the notes so we don't have to parse it again */
+ apr_table_setn(m->notes, note, (char *)zz);
+
++ /* don't cache pages with a session */
++ apr_table_addn(r->headers_out, "Cache-Control", "no-cache, private");
++
+ return OK;
+
+ }
+@@ -409,9 +412,6 @@ static apr_status_t session_dbd_save(request_rec * r, session_rec * z)
+ if (conf->name_set || conf->name2_set) {
+ char *oldkey = NULL, *newkey = NULL;
+
+- /* don't cache pages with a session */
+- apr_table_addn(r->headers_out, "Cache-Control", "no-cache");
+-
+ /* if the session is new or changed, make a new session ID */
+ if (z->uuid) {
+ oldkey = apr_pcalloc(r->pool, APR_UUID_FORMATTED_LENGTH + 1);
+@@ -458,7 +458,7 @@ static apr_status_t session_dbd_save(request_rec * r, session_rec * z)
+ else if (conf->peruser) {
+
+ /* don't cache pages with a session */
+- apr_table_addn(r->headers_out, "Cache-Control", "no-cache");
++ apr_table_addn(r->headers_out, "Cache-Control", "no-cache, private");
+
+ if (r->user) {
+ ret = dbd_save(r, r->user, r->user, z->encoded, z->expiry);
diff --git a/SOURCES/httpd.conf.xml b/SOURCES/httpd.conf.xml
new file mode 100644
index 0000000..705e527
--- /dev/null
+++ b/SOURCES/httpd.conf.xml
@@ -0,0 +1,259 @@
+
+
+
+
+
+
+ httpd.conf
+ httpd
+ AuthorOrtonJoejorton@redhat.com
+
+
+
+ httpd.conf
+ 5
+
+
+
+ httpd.conf
+ Configuration files for httpd
+
+
+
+
+ /etc/httpd/conf/httpd.conf,
+ /etc/httpd/conf.modules.d,
+ /etc/httpd/conf.d
+
+
+
+
+ Description
+
+ The main configuration file for the httpd daemon is
+ /etc/httpd/conf/httpd.conf. The syntax of
+ this file is described at , and
+ the full set of available directives is listed at .
+
+
+
+ Configuration structure
+
+ The main configuration file
+ (httpd.conf) sets up various defaults and
+ includes configuration files from two directories -
+ /etc/httpd/conf.modules.d and
+ /etc/httpd/conf.d. Packages containing
+ loadable modules (like ) place files
+ in the conf.modules.d directory with the
+ appropriate directive so that module
+ is loaded by default.
+
+ Some notable configured defaults are:.
+
+
+
+
+ The default document root from which content
+ is served.
+
+
+
+ The daemon lists on TCP port 80.
+
+
+
+ Error messages are logged to
+ @LOGDIR@/error_log.
+
+
+
+ CGI scripts are served via the URL-path .
+
+
+
+
+ To remove any of the default configuration provided in
+ separate files covered below, replace that file with an empty
+ file rather than removing it from the filesystem, otherwise it
+ may be restored to the original when the package which provides
+ it is upgraded.
+
+
+
+
+ MPM configuration
+
+ The configuration file at
+ /etc/httpd/conf.modules.d/00-mpm.conf is
+ used to select the multi-processing module (MPM), which governs
+ how httpd divides work between processes
+ and/or threads at run-time. Exactly one
+ directive must be uncommented in
+ this file; by default the MPM is enabled.
+ For more information on MPMs, see .
+
+ If using the prefork MPM, the
+ "httpd_graceful_shutdown" SELinux boolean should also be
+ enabled, since with this MPM, httpd needs to establish TCP
+ connections to local ports to successfully complete a graceful
+ restart or shutdown. This boolean can be enabled by running the
+ command: semanage boolean -m --on
+ httpd_graceful_shutdown
+
+
+
+ Module configuration files
+
+ Module configuration files are provided in the
+ /etc/httpd/conf.modules.d/ directory. Filenames
+ in this directory are by convention prefixed with two digit numeric
+ prefix to ensure they are processed in the desired order. Core
+ modules provide with the httpd package are
+ loaded by files with a prefix to ensure
+ these are loaded first. Only filenames with a
+ suffix in this directory will be
+ processed.
+
+ Other provided configuration files are listed below.
+
+
+
+ /etc/httpd/conf.modules.d/00-base.conf
+ The set of core modules included with
+ httpd which are all loaded by
+ default.
+
+
+
+ /etc/httpd/conf.modules.d/00-optional.conf
+ The set of non-core modules included with
+ httpd which are not
+ loaded by default.
+
+
+
+
+ /etc/httpd/conf.modules.d/00-systemd.conf
+ This file loads
+ which is necessary for the correct operation of the
+ httpd.service service, and should not be
+ removed or disabled.
+
+
+
+
+
+
+ Other configuration files
+
+ Default module configuration files and site-specific
+ configuration files are loaded from the
+ /etc/httpd/conf.d/ directory. Only files
+ with a suffix will be loaded. The
+ following files are provided:
+
+
+
+ /etc/httpd/conf.d/userdir.conf
+ This file gives an example configuration for
+ to map URLs such as
+ to
+ /home/jim/public_html/. Userdir mapping
+ is disabled by default.
+
+
+
+ /etc/httpd/conf.d/autoindex.conf
+ This file provides the default configuration
+ for which generates HTML
+ directory listings when enabled. It also makes file icon
+ image files available at the
+ URL-path.
+
+
+
+ /etc/httpd/conf.d/welcome.conf
+ This file enables a "welcome page" at
+ if no content is present
+ in the default documentation root
+ /var/www/html.
+
+
+
+ /etc/httpd/conf.d/ssl.conf (present only if is installed)
+ This file configures a TLS
+ listening on port
+ . If the default configuration is used,
+ the referenced test certificate and private key are
+ generated the first time httpd.service is
+ started; see
+ httpd-init.service8
+ for more information.
+
+
+
+
+
+
+ Instantiated services
+
+ As an alternative to (or in addition to) the
+ httpd.service unit, the instantiated template
+ service httpd@.service unit file can be used,
+ which starts httpd using a different
+ configuration file to the default. For example,
+ systemctl start httpd@foobar.service will
+ start httpd using the configuration file
+ /etc/httpd/conf/foobar.conf. See httpd@.service8 for more information.
+
+
+
+
+ Files
+
+
+ /etc/httpd/conf/httpd.conf,
+ /etc/httpd/conf.d,
+ /etc/httpd/conf.modules.d
+
+
+
+
+ See also
+
+
+ httpd8,
+ httpd.service8,
+ ,
+
+
+
+
+
+
+
diff --git a/SOURCES/httpd.service.xml b/SOURCES/httpd.service.xml
new file mode 100644
index 0000000..b2c72dd
--- /dev/null
+++ b/SOURCES/httpd.service.xml
@@ -0,0 +1,332 @@
+
+
+
+
+
+
+ httpd systemd units
+ httpd
+ AuthorOrtonJoejorton@redhat.com
+
+
+
+ httpd.service
+ 8
+
+
+
+ httpd.service
+ httpd@.service
+ httpd.socket
+ httpd-init.service
+ httpd unit files for systemd
+
+
+
+
+ /usr/lib/systemd/system/httpd.service,
+ /usr/lib/systemd/system/httpd@.service,
+ /usr/lib/systemd/system/httpd-init.service,
+ /usr/lib/systemd/system/httpd.socket
+
+
+
+
+ Description
+
+ This manual page describes the systemd
+ unit files used to integrate the httpd daemon
+ with systemd. Two main unit files are
+ available: httpd.service allows the
+ httpd daemon to be run as a system service, and
+ httpd.socket allows httpd to be started via
+ socket-based activation. Most systems will use
+ httpd.service.
+
+ The apachectl command has been modified
+ to invoke systemctl for most uses, so for
+ example, running apachectl start is equivalent
+ to running systemctl start httpd.service. This
+ ensures that the running httpd daemon is tracked and managed by
+ systemd. In contrast, running
+ httpd directly from a root shell will start the
+ service outside of systemd; in this case,
+ default security restrictions described below (including, but not
+ limited to, SELinux) will not be enforced.
+
+
+ Changing default behaviour
+
+ To change the default behaviour of the httpd service, an
+ over-ride file should be created, rather
+ than changing
+ /usr/lib/systemd/system/httpd.service
+ directly, since such changes would be lost over package
+ upgrades. Running systemctl edit
+ httpd.service or systemctl edit
+ httpd.socket as root will create a drop-in file (in
+ the former case, in
+ /etc/systemd/system/httpd.service.d) which
+ over-rides the system defaults.
+
+ For example, to set the
+ environment variable for the daemon, run systemctl edit
+ httpd.service and enter:
+
+ [Service]
+Environment=LD_LIBRARY_PATH=/opt/vendor/lib
+
+
+
+ Starting the service at boot time
+
+ The httpd.service and httpd.socket units are
+ disabled by default. To start the httpd
+ service at boot time, run: systemctl enable
+ httpd.service. In the default configuration, the
+ httpd daemon will accept connections on port 80 (and, if mod_ssl
+ is installed, TLS connections on port 443) for any configured
+ IPv4 or IPv6 address.
+
+ If httpd is configured to depend on any specific IP
+ address (for example, with a "Listen" directive) which may only
+ become available during start-up, or if httpd depends on other
+ services (such as a database daemon), the service
+ must be configured to ensure correct
+ start-up ordering.
+
+ For example, to ensure httpd is only running after all
+ configured network interfaces are configured, create a drop-in
+ file (as described above) with the following section:
+
+ [Unit]
+After=network-online.target
+Wants=network-online.target
+
+ See
+ for more information on start-up ordering with systemd.
+
+
+
+
+ SSL/TLS certificate generation
+
+ The httpd-init.service unit is provided
+ with the mod_ssl package. This oneshot unit automatically
+ creates a TLS server certificate and key (using a generated
+ self-signed CA certificate and key) for testing purposes before
+ httpd is started. To inhibit certificate generation, use
+ systemctl mask httpd-init.service after
+ installing mod_ssl, and adjust the mod_ssl configuration to use
+ an appropriate certificate and key.
+
+
+
+
+ Reloading and stopping the service
+
+ When running systemctl reload
+ httpd.service, a graceful
+ restart is used, which sends a signal to the httpd parent
+ process to reload the configuration and re-open log files. Any
+ children with open connections at the time of reload will
+ terminate only once they have completed serving requests. This
+ prevents users of the server seeing errors (or potentially
+ losing data) due to the reload, but means some there is some
+ delay before any configuration changes take effect for all
+ users.
+
+ Similarly, a graceful stop is used
+ when systemctl stop httpd.service is run,
+ which terminates the server only once active connections have
+ been processed.
+
+ To "ungracefully" stop the server without waiting for
+ requests to complete, use systemctl kill
+ --kill-who=main httpd; similarly to "ungracefully"
+ reload the configuration, use systemctl kill
+ --kill-who=main --signal=HUP httpd.
+
+
+
+ Automated service restarts
+
+ System packages (including the httpd package itself) may
+ restart the httpd service automatically after packages are
+ upgraded, installed, or removed. This is done using the
+ systemctl reload httpd.service, which
+ produces a graceful restart by default as
+ described above.
+
+ To suppress automatic reloads entirely, create the file
+ /etc/sysconfig/httpd-disable-posttrans.
+
+
+
+ Changing the default MPM (Multi-Processing Module)
+
+ httpd offers a choice of multi-processing modules (MPMs),
+ which can be configured in
+ /etc/httpd/conf.modules.d/00-mpm.conf.
+ See
+ httpd.conf5
+ for more information on changing the MPM.
+
+
+
+ systemd integration and mod_systemd
+
+ The httpd service uses the systemd
+ service type. The mod_systemd module must be
+ loaded (as in the default configuration) for this to work
+ correctly - the service will fail if this module is not
+ loaded. mod_systemd also makes worker and
+ request statistics available when running systemctl status
+ httpd. See
+ systemd.exec5
+ for more information on systemd service types.
+
+
+
+ Security and SELinux
+
+ The default SELinux policy restricts the httpd service in
+ various ways. For example, the default policy limits the ports
+ to which httpd can bind (using the Listen
+ directive), which parts of the filesystem can be accessed, and
+ whether outgoing TCP connections are possible. Many of these
+ restrictions can be relaxed or adjusted by using
+ semanage to change booleans or other
+ types. See
+ httpd_selinux8
+ for more information.
+
+ The httpd service enables PrivateTmp
+ by default. The /tmp and
+ /var/tmp directories available within the
+ httpd process (and CGI scripts, etc) are not shared by other
+ processes. See
+ systemd.exec5
+ for more information.
+
+
+
+
+ Socket activation
+
+ Socket activation (see
+ systemd.socket5
+ for more information) can be used with httpd
+ by enabling the httpd.socket unit. The
+ httpd listener configuration must exactly
+ match the ListenStream options configured for
+ the httpd.socket unit. The default
+ httpd.socket has a
+ ListenStream=80 and, if mod_ssl is installed,
+ ListenStream=443 by a drop-in file. If
+ additional Listen directives are added to the
+ httpd configuration, corresponding
+ ListenStream options should be added via
+ drop-in files, for example via systemctl edit
+ httpd.socket.
+
+ If using socket activation with httpd, only one listener
+ on any given TCP port is supported; a configuration with both
+ "Listen 127.0.0.1:80" and "Listen
+ 192.168.1.2:80" will not work.
+
+
+
+ Instantiated services
+
+ The httpd@.service unit is an
+ instantiated template service. An instance of this unit will be
+ started using the configuration file
+ /etc/httpd/conf/INSTANCE.conf, where
+ INSTANCE is replaced with the instance
+ name. For example, systemctl start
+ httpd@foobar.service will start httpd using the
+ configuration file
+ /etc/httpd/conf/foobar.conf. The
+ environment variable is set to
+ the instance name by the unit and is available for use within
+ the configuration file.
+
+ To allow multiple instances of httpd to run
+ simultaneously, a number of configuration directives must be
+ changed, such as PidFile and
+ DefaultRuntimeDir to pick non-conflicting
+ paths, and Listen to choose different ports.
+ The example configuration file
+ /usr/share/doc/httpd/instance.conf
+ demonstrates how to make such changes using
+ variable.
+
+ It can be useful to configure instances of
+ httpd@.service to reload when
+ httpd.service is reloaded; for example,
+ logrotate will reload only
+ httpd.service when logs are rotated. If this
+ behaviour is required, create a drop-in file for the instance as
+ follows:
+
+ [Unit]
+ReloadPropagatedFrom=httpd.service
+
+ As with normal units, drop-in files for instances can be created
+ using systemctl edit, e.g. systemctl edit
+ httpd@foobar.service.
+
+
+
+
+
+ Files
+
+ /usr/lib/systemd/system/httpd.service,
+ /usr/lib/systemd/system/httpd.socket,
+ /usr/lib/systemd/system/httpd@.service,
+ /etc/systemd/systemd/httpd.service.d
+
+
+
+ See also
+
+
+ httpd8,
+ httpd.conf5,
+ systemd1,
+ systemctl1,
+ systemd.service5,
+ systemd.exec5,
+ systemd.socket5,
+ httpd_selinux8,
+ semanage8
+
+
+
+
+
+
diff --git a/SPECS/httpd.spec b/SPECS/httpd.spec
index a855696..d07a4b1 100644
--- a/SPECS/httpd.spec
+++ b/SPECS/httpd.spec
@@ -13,7 +13,7 @@
Summary: Apache HTTP Server
Name: httpd
Version: 2.4.37
-Release: 21%{?dist}
+Release: 30%{?dist}
URL: https://httpd.apache.org/
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: index.html
@@ -90,9 +90,12 @@ Patch32: httpd-2.4.37-sslprotdefault.patch
Patch33: httpd-2.4.37-mod-md-mod-ssl-hooks.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1725031
Patch34: httpd-2.4.37-r1861793+.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=1704317ě
+# https://bugzilla.redhat.com/show_bug.cgi?id=1704317
Patch35: httpd-2.4.37-sslkeylogfile-support.patch
-
+# https://bugzilla.redhat.com/show_bug.cgi?id=1794728
+Patch36: httpd-2.4.37-session-expiry-updt-int.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1209162
+Patch37: httpd-2.4.37-logjournal.patch
# Bug fixes
# https://bugzilla.redhat.com/show_bug.cgi?id=1397243
Patch61: httpd-2.4.35-r1738878.patch
@@ -122,6 +125,10 @@ Patch73: httpd-2.4.35-ocsp-wrong-ctx.patch
Patch74: httpd-2.4.37-r1828172+.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1775158
Patch75: httpd-2.4.37-r1870095+.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1771847
+Patch76: httpd-2.4.37-proxy-continue.patch
+Patch77: httpd-2.4.37-balancer-failover.patch
+
# Security fixes
Patch200: httpd-2.4.37-r1851471.patch
@@ -137,6 +144,16 @@ Patch204: httpd-2.4.37-CVE-2019-0220.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1741864
# https://bugzilla.redhat.com/show_bug.cgi?id=1741868
Patch205: httpd-2.4.34-CVE-2019-9511-and-9516-and-9517.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1823259
+# https://bugzilla.redhat.com/show_bug.cgi?id=1747284
+# fixes both CVE-2020-1927 and CVE-2019-10098
+Patch206: httpd-2.4.37-CVE-2019-10098.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1747281
+Patch207: httpd-2.4.37-CVE-2019-10092.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1747291
+Patch208: httpd-2.4.37-CVE-2019-10097.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1820772
+Patch209: httpd-2.4.37-CVE-2020-1934.patch
License: ASL 2.0
Group: System Environment/Daemons
@@ -280,6 +297,8 @@ interface for storing and accessing per-user session data.
%patch33 -p1 -b .mod-md-mod-ssl-hooks
%patch34 -p1 -b .r1861793+
%patch35 -p1 -b .sslkeylogfile-support
+%patch36 -p1 -b .session-expiry
+%patch37 -p1 -b .logjournal
%patch61 -p1 -b .r1738878
%patch62 -p1 -b .r1633085
@@ -294,6 +313,9 @@ interface for storing and accessing per-user session data.
%patch73 -p1 -b .ocspwrongctx
%patch74 -p1 -b .r1828172+
%patch75 -p1 -b .r1870095+
+%patch76 -p1 -b .proxy-continue
+%patch77 -p1 -b .balancer-failover
+
%patch200 -p1 -b .r1851471
%patch201 -p1 -b .CVE-2019-0211
@@ -301,6 +323,10 @@ interface for storing and accessing per-user session data.
%patch203 -p1 -b .CVE-2019-0217
%patch204 -p1 -b .CVE-2019-0220
%patch205 -p1 -b .CVE-2019-9511-and-9516-and-9517
+%patch206 -p1 -b .CVE-2019-10098
+%patch207 -p1 -b .CVE-2019-10092
+%patch208 -p1 -b .CVE-2019-10097
+%patch209 -p1 -b .CVE-2020-1934
# Patch in the vendor string
sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@@ -613,7 +639,7 @@ exit 0
%systemd_preun httpd.service htcacheclean.service httpd.socket
%postun
-%systemd_postun
+%systemd_postun httpd.service htcacheclean.service httpd.socket
# Trigger for conversion from SysV, per guidelines at:
# https://fedoraproject.org/wiki/Packaging:ScriptletSnippets#Systemd
@@ -803,6 +829,30 @@ rm -rf $RPM_BUILD_ROOT
%{_rpmconfigdir}/macros.d/macros.httpd
%changelog
+* Mon Jun 15 2020 Joe Orton - 2.4.37-30
+- Resolves: #1209162 - support logging to journald from CustomLog
+
+* Mon Jun 08 2020 Lubos Uhliarik - 2.4.37-29
+- Resolves: #1823263 (CVE-2020-1934) - CVE-2020-1934 httpd: mod_proxy_ftp use of
+ uninitialized value
+
+* Fri May 29 2020 Lubos Uhliarik - 2.4.37-28
+- Related: #1771847 - BalancerMember ping parameter for mod_proxy_http
+ doesn't work
+
+* Tue Apr 14 2020 Lubos Uhliarik - 2.4.37-27
+- Resolves: #1823259 - CVE-2020-1927 httpd:2.4/httpd: mod_rewrite configurations
+ vulnerable to open redirect
+- Resolves: #1747284 - CVE-2019-10098 httpd:2.4/httpd: mod_rewrite potential
+ open redirect
+- Resolves: #1747281 - CVE-2019-10092 httpd:2.4/httpd: limited cross-site
+ scripting in mod_proxy error page
+- Resolves: #1747291 - CVE-2019-10097 httpd:2.4/httpd: null-pointer dereference
+ in mod_remoteip
+- Resolves: #1771847 - BalancerMember ping parameter for mod_proxy_http
+ doesn't work
+- Resolves: #1794728 - Backport of SessionExpiryUpdateInterval directive
+
* Mon Dec 02 2019 Lubos Uhliarik - 2.4.37-21
- Resolves: #1775158 - POST request with TLS 1.3 PHA client auth fails:
Re-negotiation handshake failed: Client certificate missing
SessionHeader